CVE-2025-12740

Vulnerability

CVE-2025-12740 is a command injection vulnerability in Looker, affecting both Looker-hosted and Self-hosted instances. The root cause is inadequate filtering of parameters used by the IBM DB2 database driver. A user with a Developer role can create a database connection using this driver and, by manipulating LookML (Looker's modeling language), cause Looker to execute a malicious command [1].

Exploitation

Exploitation requires the attacker to have a Looker Developer role, which is a standard permission for users who create and modify data models. By crafting a LookML project that defines a DB2 connection with specially crafted driver parameters, the attacker can inject operating system commands. The attack does not require authentication beyond the user's existing Looker session, but it does require the ability to create or modify LookML files [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the Looker server. Depending on the server's configuration and permissions, this could lead to data exfiltration, lateral movement within the network, or full compromise of the Looker instance. The vulnerability is rated as High severity, indicating significant potential for damage [1].

Mitigation

For Looker-hosted instances, the issue has already been mitigated automatically; no user action is required. Self-hosted instances must be upgraded to the patched versions: 25.0.93+, 25.6.84+, 25.12.42+, 25.14.50+, or 25.16.44+. These versions are available from the Looker download page. No workaround is mentioned, and users should apply the patches as soon as possible [1].